Skip to content

Commit 1a5c464

Browse files
mnespormnespor
committed
Copy own __proto__ on older versions of node
- In the __proto__ test, construct the source object with Object.defineProperty() instead of JSON.parse() - Use Object.getOwnPropertyDescriptor() when cloning an own __proto__ to work around a bug in accessing __proto__ in some environments
1 parent 632cc9c commit 1a5c464

File tree

2 files changed

+16
-12
lines changed

2 files changed

+16
-12
lines changed

index.js

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,10 +45,16 @@ var setProperty = function setProperty(target, options) {
4545
}
4646
};
4747

48-
// Return a new object instead of __proto__ if '__proto__' is not an own property
48+
// Return undefined instead of __proto__ if '__proto__' is not an own property
4949
var getProperty = function getProperty(obj, name) {
50-
if (name === '__proto__' && !hasOwn.call(obj, name)) {
51-
return undefined;
50+
if (name === '__proto__') {
51+
if (!hasOwn.call(obj, name)) {
52+
return undefined;
53+
} else if (Object.getOwnPropertyDescriptor) {
54+
// In early versions of node, obj['__proto__'] is buggy when obj has
55+
// __proto__ as an own property. Object.getOwnPropertyDescriptor() works.
56+
return Object.getOwnPropertyDescriptor(obj, name).value;
57+
}
5258
}
5359

5460
return obj[name];

test/index.js

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -628,15 +628,13 @@ test('non-object target', function (t) {
628628
});
629629

630630
test('__proto__ is merged as an own property', function (t) {
631-
var malicious = JSON.parse('{ "fred": 1, "__proto__": { "george": 1 } }');
632-
// this test isn't valid for earlier versions of V8, which strip __proto__ during JSON.parse()
633-
if (Object.prototype.hasOwnProperty.call(malicious, '__proto__')) {
634-
var target = {};
635-
extend(true, target, malicious);
636-
t.notOk(target.george);
637-
t.ok(Object.prototype.hasOwnProperty.call(target, '__proto__'));
638-
t.deepEqual(target.__proto__, { george: 1 }); // eslint-disable-line no-proto
639-
}
631+
var malicious = { fred: 1 };
632+
Object.defineProperty(malicious, '__proto__', { value: { george: 1 }, enumerable: true });
633+
var target = {};
634+
extend(true, target, malicious);
635+
t.notOk(target.george);
636+
t.ok(Object.prototype.hasOwnProperty.call(target, '__proto__'));
637+
t.deepEqual(Object.getOwnPropertyDescriptor(target, '__proto__').value, { george: 1 });
640638

641639
t.end();
642640
});

0 commit comments

Comments
 (0)